TSR TOOL NEAT & CLEAN: Version 6.4

[JohanTSR]

Hello,
My name is Johan Isacsson and i'm one of the programmers working with this application you are discussing.
I'm also one of the original founders of TSR.

Thomas brought this thread to my attention, if you have any technical questions about what the program does i'm happy to answer them.
As for the library injection thing, i don't know what causes that warning but we rely on some external DLL's which i suspect might cause this (SlimDX or Smart Property Grid most likely), do you have any more details on that warning? Does it happen when you install the program or when you launch the app?

What do you mean by adding itself to the registry at startup, is it during install or when running the app you mean?
If it's the installer well that's the way our installation software does it, we pretty much used the defaults (Advancedinstaller).
The actual application shouldn't add anything to the registry at launch, if you claim it does please let me know exactly what it does and i can see if i can find something that could cause it.

Yes we load 4 images and an XML document when the welcome screen is displayed. We don't add any own information to the http requests headers or anything like that and we use the standard .net stuff
 to do it. Is that called phone home? I though that meant sending off information, not just loading data from the net.

If someone modifies the program or any other program for that matter and manages to distribute it they have the potential to do a lot of bad things, i don't think our http requests makes it any worse, IMHO.

Regards,
Johan Isacsson

While I finish the code tests I want to ask Thomas:

Why it does adds itself to the registry at startup without asking permission? (I know Yahoo does the same with its MEssenger and toolbar, but 2 wrongs doesn´t make a right, no matter how big the company is)

I want you to confirm that it phones home at startup, this is so the program can show you the latest subscriber downloads available on TSR. This is a security risk, as anyone who distributes your tool and MODIFIES IT, can infect tons of computers with ease. By default the tool must NOT phone home IMO.

Will be back later

EDIT: I want clarification of this too: 5. NO WARRANTIES
IBIBI HB expressly disclaims any warranty for the SOFTWARE PRODUCT. The SOFTWARE PRODUCT is provided 'As Is' without any express or implied warranty of any kind, including but not limited to any warranties of merchantability, noninfringement, or fitness of a particular purpose. IBIBI HB does not warrant or assume responsibility for the accuracy or completeness of any information, text, graphics, links or other items contained within the SOFTWARE PRODUCT. IBIBI HB makes no warranties respecting any harm that may be caused by the transmission of a computer virus, worm, time bomb, logic bomb, or other such computer program. IBIBI HB further expressly disclaims any warranty or representation to Authorized Users or to any third party.

You must guarantee your software is worm free

[ThomasTSR]

In reply to the disclaimer NO WARRANTIES.

While WE guarantee a worm/virus/malware free tool, we can not guarantee that someone does not do as you've suggested and redistribute it containing such things. So this clause is simply there to protect US in case someone is up to such a thing.

[Sblade]

In reply to the disclaimer NO WARRANTIES.

While WE guarantee a worm/virus/malware free tool, we can not guarantee that someone does not do as you've suggested and redistribute it containing such things. So this clause is simply there to protect US in case someone is up to such a thing.

Then the disclaimer must put it the way you have said those words. Meaning it is safe iff downloaded from TSR, and unsafe if downloaded from another location. That´s my opinion and I stand by it

Hello,
My name is Johan Isacsson and i'm one of the programmers working with this application you are discussing.
I'm also one of the original founders of TSR.

Thomas brought this thread to my attention, if you have any technical questions about what the program does i'm happy to answer them.
As for the library injection thing, i don't know what causes that warning but we rely on some external DLL's which i suspect might cause this (SlimDX or Smart Property Grid most likely), do you have any more details on that warning? Does it happen when you install the program or when you launch the app?

What do you mean by adding itself to the registry at startup, is it during install or when running the app you mean?
If it's the installer well that's the way our installation software does it, we pretty much used the defaults (Advancedinstaller).
The actual application shouldn't add anything to the registry at launch, if you claim it does please let me know exactly what it does and i can see if i can find something that could cause it.

Yes we load 4 images and an XML document when the welcome screen is displayed. We don't add any own information to the http requests headers or anything like that and we use the standard .net stuff
 to do it. Is that called phone home? I though that meant sending off information, not just loading data from the net.

If someone modifies the program or any other program for that matter and manages to distribute it they have the potential to do a lot of bad things, i don't think our http requests makes it any worse, IMHO.

Regards,
Johan Isacsson

The warning might be due that it modifies some DLL´s after creating it. But they are their OWN DLLs. In the preliminary tests I have found 0 dangerous objects. The only discussable thing that the tool does is phoning home which it comes to tastes, and should be safe AS LONG AS YOU DOWNLOAD IT FROM TSR. It is strongly advised NOT TO get it from another location.

I´m closing this down and editing the title. If anyone wants me to re-open the discussion I would need.

a)proof it has been DL´ed from TSR

b) Screenshot and DETAILS (not like the old man PEscado) from at least 2 different AV/Antispyware applications

c) instructions of reproducing the output.

I publicly apologize Thomas and The Sims Resource for the initial inconsistent report, which came from a long trusted source. Which from now on, will no longer be trusted.


Regards
Sblade

LOCKDOWN

EDIT: Will be open till ThomasTSR posts. Will be relocked after. All other posts will be removed

[ThomasTSR]

Thank you Sblade for your investigation - we appreciate it very much!

We will update the EULA accordingly in the next release of the tool (which happens almost daily with smaller bugfixes).

Hats off to you and your team.

[Sblade]

Hi there Thomas.

I have been able to reproduce the Library Injection output in a CLEAN vmware machine.
The first warning about the tool to launch at Windows startup is nothing out of the ordinary, might be done for reducing load times to simmers. This is the reason the first warning screenshot is NOT the reason I reopened the thread.

The second warning is just unnaceptable. Click on the attach to see.

A library program that is automatically loaded AT STARTUP and by some or ALL applications seems like a NO NO for me.

Tested on:

TSR installer 0.6.1.0

Vmware 6.5 build 156735

Inside the VMware Machine: Trend Micro Internet Security Pro 2009

I´m going to try some other AV applications, and I hope not to meet the warning anymore.  Meanwhile, that warning is enough for me to reopen the thread

[Calipip4]

Thanks for the headsup Blade. 

If that's from the older tool.... I'd like to see the results of the newer tool too.... and I'd like it tested with other AV's and Malware blockers if possible. 

[Sblade]

Thanks for the headsup Blade. 

If that's from the older tool.... I'd like to see the results of the newer tool too.... and I'd like it tested with other AV's and Malware blockers if possible. 

Tested and downloaded NOW just from TST. Version 6.3.0 same warnings 

The warning means it is modifying a program or VARIOUS programs. By modifying a program´s extension, you can modify a program behaviour entirely
That thread added to the Windows Startup we got in the first warning.... seems like a trojan horse behaviour even if the code is safe.

[DarkRaven]

That error doesn't sound good.  Thanks for testing things Blade.   

[evlncrn8]

@Thomas, the dll injection i can only suspect is done via appinit_dlls, to make a global hook in all processes (user32.dll uses this registry key to subload other dlls when user32.dll is loaded), would i be right ?

[Calipip4]

Thanks for doing the extra testing Blade. 

This isn't looking good to me at all 

For those that need more info on what Blade is talking about... use this link -  http://en.wikipedia.org/wiki/DLL_injection

[KarenSlayer]

Im with the rest thanks blade for testing it
lov kazz 

[midfingr]

Err, um, from the picture.. it's alerting you that the program is adding itself to the start up entry (i.e. start menu item, registry or service). I dislike that kind of stuff, but it's nothing out of the ordinary. So, the security app is giving you a choice as to whether you want it starting up with Windows or not.

[Sblade]

Mid check the DLL injection thing buddy. As for the ones who would like to blame Trend Micro.


Global trap? Interesting....

Tested on VMware clean machine again Kaspersky Internet Security 2010 9.0.0.463 Same os

I have the startup screen too. I´ll upload it later

[midfingr]

Thanks Blade

That's a little more intriguing. It's hard to say looking at a screenshot. However, DLL injection could just mean code, used to alter game files, which I imagine what this program is meant for. What happens if you disallow all of these alerts? Does the program still function? Maybe you can pin-point something that shouldn't be there.

Kaspersky Internet Security, while good, drove me looney toones when installing programs. I would look at a separate system intrusion utility to counter (of course without Kaspersky) as it tends to be very aggressive with other security software such as Spybot S & D.

[Darklord]

I agree with mid that this program alerts are normal for that kind of program and there's no particular evidence for malware or spyware being resident in TSR tools.
I think that dll-injection thingy can happen when an item is added to the context menu.
Also think about how TSR tools works. It's an editor that is used to change files. That's always suspicious behaviour for antivirus software or firewalls. I think we should calm down on this. 
So, I won't install that prog cause I see no use for it, for now.